Re: Rate of growth on IPv6 not fast enough?

In message <20100420121646.ge15...@vacation.karoshi.com.>, bmann...@vacation.ka roshi.com writes: > On Tue, Apr 20, 2010 at 01:58:13PM +1000, Mark Andrews wrote: > > > > > You are charmingly naive about how "the law" actually works in the USA - > > &

Re: Rate of growth on IPv6 not fast enough?

> solutions. Hopefully being on the Internet, for the home user, will mean you have IPv6 connectivity and public address space handed out using PD in 3-5 years time. That Google, Yahoo etc. have turned on IPv6 to everyone. DS-lite or some other distributed NAT44 technology is being used

Re: Rate of growth on IPv6 not fast enough?

In message <67d28817-d47b-468f-9212-186c60531...@internode.com.au>, Mark Newton writes: > > On 20/04/2010, at 1:28 PM, Mark Andrews wrote: > > > Changing from a public IP address to a private IP address is a big > > change in the conditions of the contract. People

Re: Rate of growth on IPv6 not fast enough?

> > We should be especially cautious about it when the functionality we are > > interested in is really no more than a happy side effect of some other > > functionality. NAT's "security", to the extent that it exists at all, is > > a side effect of what it is inte

Re: Connectivity to an IPv6-only site

g to revisit that config switch. > > Anybody have some statistics on what the current situation is? Given I've been running dual stack nameservers for the last 7 years and never noticed any real problems I expect his problems are actually closer to home. Mark -- Mark Andrews, ISC 1 Seym

Re: [Re: http://tools.ietf.org/search/draft-hain-ipv6-ulac-01]

s they need to renumber you, you'll probably get > > a new RA with the 60/90 minute lifetimes specified each time RAs are > > sent and your counters will all get reset to 60/90 for the foreseeable > > future. =A0The preferred and valid lifetimes aren't limitations, t

Re: Connectivity to an IPv6-only site

dors that return broken DNS responses. This is after pointing out that the load balancer is broken and saying why I want it (to inform the vendor / warn others not to purchace a broken product). Invariably the administrator is too paranoid to supply the information. The best one can hope for

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

en my brother printer as a firewall built into it and it supports IPv6. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: IPv6 rDNS - how will it be done?

you can delegate the reverse for the /48 to servers run by the customers. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: [Nanog] Re: IPv6 rDNS - how will it be done?

In message <268ebce2-9d47-488e-8223-29b5a6323...@godshell.com>, "Jason 'XenoPhage' Frisvold" wri tes: > On Apr 27, 2010, at 8:42 PM, Mark Andrews wrote: > > Windows will just populate the reverse zone as needed, if you let > > it, using dynamic upda

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

y to change service providers without having to = > renumber? We have that ability already. Doesn't require NAT. > Regards, > -drc -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?

In message , David Conrad writes: > Mark, > > On Apr 28, 2010, at 3:07 PM, Mark Andrews wrote: > >> Perhaps the ability to change service providers without having to = > renumber? > >=20 > > We have that ability already. Doesn't require NAT. >

Anyone from UUNET.CA around.

o3t0osxa060...@drugs.dv.isc.org> To: n...@uunet.ca From: Mark Andrews Subject: It shouldn't be this hard Date: Thu, 29 Apr 2010 10:50:54 +1000 Sender: ma...@isc.org Can't get to www.uunet.ca connection times out. Non-working address in SOA contact field. - --- Forwarded Me

Re: Dial Concentrators - TNT / APX8000 R.I.P.

ver IPv4 and run a tunnel broker. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Dial Concentrators - TNT / APX8000 R.I.P.

es does. > > 6to4 You don't want 6to4. Even if you provide relay routers the return traffic is problematic. 6to4 also requires public IPv4 addresses and you will eventually want to share these between your customers. > Antonio Querubin > 808-545-5282 x3003 > e-mail/xmpp: t...@l

Re: Dial Concentrators - TNT / APX8000 R.I.P.

In message <201005110413.o4b4disn031...@drugs.dv.isc.org>, Mark Andrews writes: > > > How are ISPs that still offer dialup going to handle dialup and IPv6? I > > > know the TNTs don't do it, and I don't think most of the old equipment > > > in use

Re: Todd Underwood was a little late

NAT router, > and they're leaking some traffic non-NAT'd. Why was this traffic hitting your DNS server in the first place? It should have been rejected by the ingress filters preventing spoofing of the local network. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 211

Re: Todd Underwood was a little late

In message , Jon Lewis write s: > On Thu, 17 Jun 2010, Mark Andrews wrote: > > > Why was this traffic hitting your DNS server in the first place? It should > > have been rejected by the ingress filters preventing spoofing of the local > > network. > > When I ra

Re: DNSsec from domailcontrol.com

loomus.com > without any success. > > > Does someone have any brilliant suggestions? > Please contact me on or off list > > Regards > MKS The server isn't even EDNS aware. I suspect your firewall doesn't like a plain DNS response to a EDNS query. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Lightly used IP addresses

than hoping that they are correct. > Nick > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Comcast enables 6to4 relays

our own 6to4 > router? > > If for example all my users have v4 addresses in 192.0.2.0/24, I could > advertise 2002:C002:::/40 instead of or in addition to the full > 2002::/16. > > Cheers. > Mitchell Which would end up with the entire set of IPv4 routes in IPv6. Th

Re: Where to buy Internet IP addresses

- Network Engineering - j...@impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: Where to buy Internet IP addresses

In message <20090502002406.gk4...@hezmatt.org>, Matthew Palmer writes: > On Sat, May 02, 2009 at 09:40:23AM +1000, Mark Andrews wrote: > > > > In message <49fb4661.8090...@west.net>, Jay Hennigan writes: > > > LEdouard Louis wrote: > > > > Optimu

Re: you're not interesting, was Re: another brick in the wall[ed garden]

can do it. Mark > Regards, > John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies > ", > Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor > "More Wiener schnitzel, please", said Tom, revealingly. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: you're not interesting, was Re: another brick in the wall[ed garden]

In message <70d072392e56884193e3d2de09c097a91f3...@pascal.zaphodb.org>, "Tomas L. Byrnes" writes: > Disclaimer: I have a dog in this fight, since ThreatSTOP is dependent on > DNS/TCP. > > >-Original Message- > >From: Mark Andrews [mailto:mark_andr.

Re: MX Record Theories

NS referral from the root servers to the COM servers already exceeded 512 bytes. The world hasn't fallen over. That's dealt with that myth. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: MX Record Theories

DNS responses. It will have a impact on the number of DNS queries made iff the receipents are in multiple mail domains. Mark > -BobbyJim -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: DNS ed.gov translations

; Williams College > (413) 597-3408 (office) > (413) 822-2922 (cell) > OIT will NEVER ask for your password! What nameserver and version are you running? What options do you have turned on in the nameserver? What firewall settings do you have? Do you allow fragments through? Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: glue record

obi. 86400 IN A 117.102.248.2 > ns2.push.mobi. 86400 IN A 117.102.248.3 > - > > best, > Anton. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: glue record

for certain that glue is needed. There are other delegation patterns that also need glue to be returned. Mark > --bill > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ARIN and DNSSEC

ld master to parent master so humans were completely out of the loop except to establish the initial DS RRset in the parent. Nanog however isn't the venue to discuss this. I would think IETF DNSEXT WG would be a reasonable place to hold the discussion. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ARIN and DNSSEC

In message <20090708013805.ga1...@vacation.karoshi.com.>, bmann...@vacation.kar oshi.com writes: > On Wed, Jul 08, 2009 at 11:09:49AM +1000, Mark Andrews wrote: > > > > In message <20090707171251.ga2...@arin.net>, Mark Kosters writes: > > > On Mon, Jul 06,

Re: CADR

In message <20090708025854.ga1...@vacation.karoshi.com.>, bmann...@vacation.kar oshi.com writes: > On Wed, Jul 08, 2009 at 11:58:17AM +1000, Mark Andrews wrote: > > > > > > > received a lot of good feedback with the conclusion that using a rest > ful &g

Re: The actual value, from a security standpoint, of using a proxy domain registrar?

pted to report a operational problem with DNS servers and delegations just to have the email bounce due to the data being out of date. Proxy services just add yet another layer that can go wrong. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: DNS alternatives (was Re: Dan Kaminsky)

ion of the transport stack will likely be both a > driver and an effect of this trend, over time. > > --- > Roland Dobbins // <http://www.arbornetworks.com> > > Unfortunately, inefficiency scales really well. > > -- Kevin Lawt

Re: Dan Kaminsky

s too late for the pebbles to vote. There is a difference between looking for a service and looking for a specific vendor of a service. > As the person I was replying to said, DNS is unlikely to go away, > but I'll lay good money that some day most people won't eve

Re: dnscurve and DNS hardening, was Re: Dan Kaminsky

ally poorly done. It also only works well for iterative resolvers. It doesn't work well for stub resolvers, nameservers that forward etc. as one now has a key distribution problem. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Dan Kaminsky

le.com/support/bin/answer.py?answer=6596 26si8920387qyk.119 quit 221 2.0.0 closing connection 26si8920387qyk.119 Connection closed by foreign host. farside.isc.org:marka {3} % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: IPv6 Addressing Help

services as well. > This question gets asked so many times now, whilst people argue about > the implications of using networks smaller than /64 for anything > such deployments continue to exist and are successful. > > Perhaps we should document people's addressing plans s

Re: IPv6 Addressing Help

f the reasons for going to 128 bits was so that we wouldn't have to worry about being overly conservative with address at the network level. The original thinking was /80 which later changed to /64. Pack networks not hosts. Mark > -- > This message has been scanned for viruses and >

Re: Beware: a very bad precedent set

enerally > accepted that ignoring reports of infringement can bring about liability. > > Jack It will be interesting to see the court cases against ISP's that don't shutdown other illegal activities once they have been notified. abuse@ better not be a blackhole or you are put

Re: Any RIM / blackberry folks around ?

not resolve > > This could just be an SPF failure. Try some sender address you > control. > It if it then that is a very bad diagnostic message. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Repeated Blacklisting / IP reputation

nts). This will be painful for some. Note we all could start using IPv6 and avoid this problem altogether. There is nothing stopping us using IPv6 especially for MTA's. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: cross connect reliability

re that 4th packet came along and knocked it free. I suspect > it could have gone higher, but random scanning traffic on the internet > was coming in. When there was a lot of traffic on the interface you > would never see the packet loss, just reordering of every 4th packet and > thus

Re: IPv6 internet broken, Verizon route prefix length policy

ed their first /48 from 2620:0::/23), if your > announcements are only longer than /32, you should be aware that Verizon > is completely unreachable for you - even if you are a Verizon customer > directly. > > -- > Jeff McAdams > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: IPv6 internet broken, Verizon route prefix length policy

In message <1255388942.12984.1.ca...@acer-laptop>, Bret Clark writes: > On Tue, 2009-10-13 at 09:40 +1100, Mark Andrews wrote: > > > > Verizon's policy has been related to me that they will not accept > > or > > > propogate any IPv6 route advertise

Re: ISP customer assignments

> for business DSL: the link has a dynamic address and your netblock is then > routed to it. (this is confusing and unworkable for a lot of cheap > hardware.) Just use a /64 for the customer link. That allows them to have a CGA if they need one. Mark -- Mark Andrews

Re: ISP customer assignments

y, and > the latest version will always have this filename, so please link to > it instead of copying it, etc. etc.: > > http://www.braintrust.co.nz/resources/ipv6_flow_chart/ipv6_flow_chart-current.pdf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ISP customer assignments

In message , Nathan Ward writes : > > On 14/10/2009, at 7:23 PM, Mark Andrews wrote: > > > DS-Lite is there for when the ISP runs out of IPv4 addresses to > > hand one to each customer. Many customers don't need a unique IPv4 > > address, these are the ones yo

Re: ISP customer assignments

satisfied that there is no traffic over them. > -- > > Thanks; Bill > > Note that this isn't my regular email account - It's still experimental so > far. > And Google probably logs and indexes everything you send it. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ISP customer assignments

-=-lq/A/spfwZ9P7pLx73k/ > Content-Type: application/pgp-signature; name="signature.asc" > Content-Description: This is a digitally signed message part > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEABECAAYFAkreWLgACgkQSkRqA/Q6fe//UACfcPMTlaufxR4sk8pfJ9d7Uk/W > rW4AmgNnotHOzM4DnvcT90ow+0kDxMVF > =aZzD > -END PGP SIGNATURE- > > --=-lq/A/spfwZ9P7pLx73k/-- > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ISP customer assignments

a day as they move between work and home. All machines should be in a position to renumber themselves as easily as we renumber a laptop. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: ISP customer assignments

ll honour the TTL in the records. > how often do the VPN devices revalidate the names? At startup. A well designed VPN protocol will support end point address mobility. > what happens when the dns changes while the vpn is still up? This should be transparent to everything other than th

Re: small site multi-homing (related to: Small guys with BGP issues)

vider assigned ones and use source address routing to find a appropropiate exit path which doesn't break BCP 38. This is as good as the NAT solutions for small-site multi-homing today. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Congress may require ISPs to block fraud sites H.R.3817

e.. ;) > > --==_Exmh_1257461806_2581P > Content-Type: application/pgp-signature > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Exmh version 2.5 07/13/2001 > > iD8DBQFK81gucC3lWbTT17ARAjaeAJ9Snqyq/z7qeF/Z+ag+xluKfUQAdwCgrJ4V > LyG+0

Re: Congress may require ISPs to block fraud sites H.R.3817

s. A consumer should be able to reasonably assume that the message was delivered. If you bounce then they should be aware that it didn't get through and they can take other steps to inform you. > so, is this bill helping? or hurting? :( > > > > > And the immediate usptreams

Re: IPv6 Wow

ess space you are using. We need automate the dissemination of these values within a ISP to the customers so they can correctly configure their address selection rules. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]

Re: Alaska DNS

s), > Approximate round trip times in milli-seconds: > Minimum = 235ms, Maximum = 252ms, Average = 246ms > > C:\Documents and Settings\Joseph> > > -- > Later, Joe > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]

Re: godaddy spam / abuse suspensions?

ny > > > action. > > > > Yes, and that'd make a good case for the good old ops practice of > > dialing down the TTL for a while before any NS change is made. > > > > --srs > > > -- > Jeremy Jackson > Coplanar Networks > (519)

Re: IPv6 routing /48s

ddrpolicy *pol, *ep; /usr/src/lib/libc/net/name6.c: ep = (struct in6_addrpolicy *)(buf + l); /usr/src/lib/libc/net/name6.c: for (pol = (struct in6_addrpolicy *)buf; pol + 1 <= ep; pol++) { /usr/src/lib/libc/net/name6.c: struct in6_addrpolicy *pol; % -- Mark Andrews, ISC 1 Seymour St., D

Re: IPv6 routing /48s

Mark Andrews writes: > > In message <[EMAIL PROTECTED]>, Niels Bakker writes: > > * [EMAIL PROTECTED] (Tony Hain) [Wed 26 Nov 2008, 01:03 CET]: > > > In any case, content providers can avoid the confusion if they simply put > u > > p > > > a local 6

Re: IPv6 routing /48s

In message <[EMAIL PROTECTED]>, Niels Bakker writes: > * [EMAIL PROTECTED] (Mark Andrews) [Wed 26 Nov 2008, 01:55 CET]: > > In message <[EMAIL PROTECTED]>, Niels Bakker writes: > >> * [EMAIL PROTECTED] (Tony Hain) [Wed 26 Nov 2008, 01:03 CET]: > >>> In

Re: IPv6 routing /48s

In message <[EMAIL PROTECTED]>, Niels Bakker writes: > * [EMAIL PROTECTED] (Mark Andrews) [Wed 26 Nov 2008, 02:57 CET]: > > 2002::/16 vs non 2002::/16 should be in the policy table. This is the > > default prefer ipv6 policy table for FreeBSD 6.4-PRERELEASE. There is

Re: IPv6 routing /48s

In message <[EMAIL PROTECTED]>, Mohacsi Jano s writes: > > > > On Wed, 26 Nov 2008, Mark Andrews wrote: > > > > > Mark Andrews writes: > >> > >> In message <[EMAIL PROTECTED]>, Niels Bakker writes: > >>> * [EMAIL PROTECTED]

Re: IPv6 routing /48s

In message <[EMAIL PROTECTED]>, Niels Bakker writes: > * [EMAIL PROTECTED] (Mark Andrews) [Wed 26 Nov 2008, 03:20 CET]: > >It's used for both. > > Yet from /usr/src/lib/libc/getaddrinfo.c > --- > /* Rule 7: Prefer native transport. */ >

Re: Security team successfully cracks SSL using 200 PS3's and MD5

The owner > of each domain or host could publish a self-signed cert in a TXT RR, > and the DNS chain of trust would be the only form of validation needed. Or one could use the CERT to publish a cert :-) Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: Security team successfully cracks SSL using 200 PS3's and MD5

the domain was delegated in the first place. The natural place to look for DNS trust is in the DNS. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: DNS Amplification attack?

ine > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.9 (GNU/Linux) > > iEYEARECAAYFAkl2XtAACgkQcXeLeWu2vmrR+wCePhZM2IrxV1mCKpnpsL6RDPIk > KnoAnRyVJpYrlan65MYJF7LRJc8nXJuj > =F1Dc > -END PGP SIGNATURE- > > --J+eNKFoVC4T1DV3f-- > Or better yet trace th

Re: DNS Amplification attack?

cache in 9.3.x. option/view level "allow-query { trusted; };" zone level "allow-query { any; };" BIND 9.4.x and later have allow-query-cache make the configuration job easier. It also defaults to directly

Re: DNS Amplification attack?

In message <497705bd.33e4.009...@globalstar.com>, "Crist Clark" writes: > >>> On 1/20/2009 at 7:23 PM, Mark Andrews wrote: > > > In message <20090121140825.xwdzd4p64kgwo...@web1.nswh.com.au>,=20 > > j...@miscreant.or=20 > > g writes

Re: isprime DOS in progress

he rest of the world to properly implement ingress > filtering (ha, ha), I think dropping the specific packets that > generate the reflected traffic is good enough for now. The load on the > reflectors is minimal. > > Nathan. > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: Are we really this helpless? (Re: isprime DOS in progress)

f them do as they usually apply these filters to home networks. BCP 38 is ~10 years old now. It should have been factored into the purchasing decision of all the current equipement. If it wasn't then the operator was negligent. Mark > Regards,

Re: Are we really this helpless? (Re: isprime DOS in progress)

In message , Marti n Hannigan writes: > On Sat, Jan 24, 2009 at 8:01 PM, Mark Andrews wrote: > > > > > In message <8c5f1fec-ff51-4ba2-a762-c13bc275e...@virtualized.org>, David > > Conrad writes: > > > It would seem that as ISPs implement DPI and protoc

Re: Tightened DNS security question re: DNS amplification attacks.

Unless you are using 10.0.0.0/8 then you aren't implementing BCP 38 either. If you were you wouldn't be seeing queries from 10.0.0.0/8. Mark > Best wishes, > Nate Itkin > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: Tightened DNS security question re: DNS amplification attacks.

but at least it is a place > to start. I appended that code below for those who are interested in it. Which will just make the attacks evolve. It's pretty easy to design a amplifing DNS attack which is almost indetectable unless you know which addresses are bei

Re: Tightened DNS security question re: DNS amplification attacks.

elieve) is no longer there with BIND 9.4.3-P1. > The port was bound at startup time and did not change as long as named was > still running. > -- > Steve > Equal bytes for women. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: Tightened DNS security question re: DNS amplification attacks.

ed". This should be auditable. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: Tightened DNS security question re: DNS amplification attacks.

ile > automatically and you're getting most of the way there, by sheer number > of DNS servers. > > -Phil The most common reason for recursive queries to a authoritative server is someone using dig, nslookup or similar and forgeting to disable recursion o

Re: Private use of non-RFC1918 IP space

a prefix > > that should enough for a decent sized country in a half-rack. > > > > It's only slightly harder to imagine a /48 being wasted like that. > > Except the RIRs won't give you another /48 when you have only used one > trillion IP addresses. > &g

Re: Private use of non-RFC1918 IP space

address, with a minimum > fee of AU$10,384. > > After the first year of the initial assignment or allocation, > there is an annual registration fee is AU$0.127 per host or > site address, with a minimum fee of AU$1,038.40. > > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)]

g up and down). This is going to be far more of > an issue and drive network design than a minor blow out in the v6 > routing table. Assign the prefixes using PD and use aggregate routes out side of the pop. IPv6 nodes are designed to be renumbered. Use the technology. Stop thinking IPv4 and s

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)]

gt; > > No larger than their ARP tables are now. > > > And ARP tables are propogated around networks? No, they're local to a > router. > > MMC > > -- > Matthew Moyle-Croft - Internode/Agile - Networks > Level 4, 150 Grenfell Street, Adelaide, SA 5000 Aus

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)]

ess from a RIR, LIR or ISP. The lease may not be renewed when it next falls due. You may get assigned a different set of addresses at that point. You should plan accordingly. The only difference is the mechanisms used to assign the leases and the probability

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)] (IPv6-MW)

that will > actually work in practice. And that brings us back to the good old catch-22 > of ISPs not supporting IPv6 because consumer CPE doesn't support it, and CPE > not supporting it because ISP don't... > > Scott. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

In message <20090205030522.13d152b2...@mx5.roble.com>, Roger Marquis writes: > Mark Andrews wrote: > > All IPv6 address assignments are leases. Whether you get > > the address from a RIR, LIR or ISP. The lease may not be > > renewed when it next falls d

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)]

ing that does not work? BTW stateless autoconf and DHCP are complementry technologies. > The IPv4 mistake you've NOT learned from here is > "rarp". DCHP does far more than tell a host was address it should use. > (yes, I've called for the IPng WG member's execution, reanimation, and > re-execution, several times.) > > --Ricky > > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)]

ady list as the DMZ address. :-) WII's should be able to be directly connected to the network without any firewall. If they can't be then they are broken. > c'ya > sven -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)]

In message <498bddac.7060...@eeph.com>, Matthew Kaufman writes: > Mark Andrews wrote: > > WII's should be able to be directly connected to the network > > without any firewall. If they can't be then they are broken. > > As I'm sure you kn

Re: L3: Google from DC via the Netherlands?

- > Peter Beckman Internet Guy > beck...@angryox.com http://www.angryox.com/ > --- > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: 97.128.0.0/9 allocation to verizon wireless

ogy change over bring in new functionality. Mark > Does ARIN lack sufficient resources to vet jumbo requests? > > Did Verizon Wireless benefit from favoritism? > > Is Barack Obama concerned that his blackberry will not function if > Verizon one day runs out of v4

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

t be done, but > that there are so many still-to-be-answered questions between here and > there... And the only way to answer them is to go ahead and find the gaps. Waiting and waiting won't find the problems and will just put you under more time presure.

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)]

| Stateless DHCPv6). address + default gateway. I know where the root servers live :-) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

I know there are some that do. Please cite references. I can find plenty of firewall required references but I'm yet to find a NAT and/or RFC 1918 required. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space (IPv6-MW)]

tered manually, DHCPv6, or from IPv4 network > configuration (ie. DHCP!) Forcing this BS on the world is a colossal > waste. We've had a system to provide *ALL* the information a host needs > or wants in the IPv4 world for years. Why it's not good enough for IPv6 > is beyond me. > > --Ricky > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: Happy 1234567890 everyone!

Systems and Network Administrator - HiWAAY Internet Services > > I don't speak for anybody but myself - that's enough trouble. > > > > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: IPv6 Confusion

gnatures. The machine's name is not tied to the network on which it lives. Mark > Or, we simply continue down the path of more NATv4. > > Regards, > -drc > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

Re: IPv6 Confusion

In message <14076.1234917...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu writes: > --==_Exmh_1234917735_3892P > Content-Type: text/plain; charset=us-ascii > > On Wed, 18 Feb 2009 10:55:30 +1100, Mark Andrews said: > > I solve it by give the machine a na

Re: IPv6 Confusion

In message <33415e7e-23f2-45f2-9281-ab1685dee...@virtualized.org>, David Conrad writes: > > On Feb 17, 2009, at 1:55 PM, Mark Andrews wrote: > >> (which was never fully > >> thought out -- how does a autoconfig'd device get a DNS name > >> associated

Re: IPv6 Confusion

In message <6f7ba817-320b-414f-9811-03b476990...@virtualized.org>, David Conrad writes: > On Feb 17, 2009, at 3:55 PM, Mark Andrews wrote: > > In otherwords ISP's need to enter the 21st century. > > Yeah, those stupid, lazy, ISPs. I'm sure they're just s

Re: Dynamic IP log retention = 0?

termine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. One shouldn't need to have to get the indentities of the perpetrators to get AUP enforced. Port scanning is against 99.9% of AUP

<    5   6   7   8   9   10   11   12   >